The General Data Protection Regulations come into force on May 25th 2018 - learn how Workday HCM can help you get compliant.
So, what is GDPR? What does it mean for organisations and workers (employees and contingent workers) and how can your Workday HCM solution be configured to meet its requirements.
What is GDPR?
It is a set of regulations that brings together and standardises the EU’s position on the storage, processing and disposal of “personal data”. One of the ways it does this is to expand the concept of what constitutes “personal data” to include more data items as “personal identifiers” e.g. location data, economic data, social/cultural identity. It applies to paper records as well as electronic data.
Key features of GDPR
Individuals’ consent to have their data processed by an employer needs to be freely given, specific, informed and unambiguous. This is stronger wording than previously used, and is meant to address the issue of consent being assumed from inaction, pre-ticked boxes or vague blanket statements. It also needs to be easy for individuals to withdraw their consent.
We suggest that employers who are using Workday Recruiting configure a business process to send every EU job applicant a workflow task where they are invited to click on a link to a consent form, where the worker is presented with a clear explanation of what data will be held on them, for what purpose and under what circumstances it will be shared. Refusing consent would route the workflow to HR so that the issue can be dealt with in compliance with the other terms of GDPR (referenced below).
The withdrawal of consent should also be available at all times to EU workers as an Employee Self Service action which should route to HR in the same way.
The right to be informed
Individuals have the right to be informed about what personal data an organisation holds about them. This does not apply to data provided by the individual themselves. So for example, if you use Workday On-Boarding to enable pre-hires to provide personal data about themselves, you don’t have to tell them you hold that data. But if someone else changes a data item, for example a marital status or a gender, we suggest that you configure Workday to notify the worker it relates to so they are a) aware of the change and b) able to see and check the data for themselves.
The right of access
Individuals have the right to access their personal data being held by an organisation. This is straightforward in Workday as long as workers are given accounts and are able to log in to view their data. However, we also recommend that organisations also configure and deploy a report to all workers that extracts all their personal data (see The right to data portability below).
The right to rectification
Individuals are entitled to have personal data corrected if it is wrong or incomplete. Again, this is straightforward in Workday by configuring Employee Self Service Business Processes. You would need to consider which changes would need to be routed to HR and which would not.
The right to erasure
Otherwise known as the “right to be forgotten”. The regulation gives individuals the right to have their personal data deleted or removed where there is no proper reason to continue to hold it and/or process it. Workday already provides the ability to purge the system of data relating to a particular worker or group of workers, (or, in the case of Workday Recruiting, applicant or group of applicants) which could be used if an individual asked to have all their data removed e.g. a terminated employee (or unsuccessful applicant). What could be more complex is erasing data on a worker who has withdrawn consent – this would depend on exactly what the individual was objecting to.
The right to data portability
This is an area where Workday is particularly strong. Individuals need to be given the ability to obtain the personal data held on them and (re-)use it for their own purposes in a variety of other IT environments. Workday supports integration with other systems for the accurate sharing of data and also provides the possibility for an individual to download their data in XML format or into Microsoft Excel.
The right to object
Individuals are entitled to object to their personal data being processed, and if they have a good reason, processors must stop holding it. Workday can be configured to enable individuals to object to their data being processed via Employee Self Service as described in Consent above).
A modern cloud-based HCM solution like Workday, implemented correctly, can:
- support an organisation’s compliance to GDPR
- help demonstrate such compliance to both individuals and regulators
- enable non-compliant legacy systems/data sources to be eliminated